Yeah :) well, the point is people, as a rule, are morons. They remember a million things about everyday life, yet wouldn't keep 24 (or even 12!) characters in a row if asked to. Such is human nature, and therefore we'll always have problems with passwords. Complex, unique, learnt; pick two.
On 11 December 2012 13:55, <[email protected]> wrote: > @ > different and strong passwords written down in his desk drawer to each > account > > :)Well, the folks in IT departments usually have something that sounds > like clean desktop policy (approved by the vice president in charge of > passwords...) > > > > > I like the hint they put in the headlines. It says "safe, faster, and > > easier" and not "safer, faster, and easier." :) > > > > I see several objections to OpenID, the biggest one by far being the fact > > that, assuming the most common implementation, you entrust authentication > > to a lot of third parties, which means some of the breach and downtime > > venues aren't controlled by you. You could technically run your own > OpenID > > auth server and allow only that server, but then no one can use their > > current OpenID accounts and you miss the point of having it. > > > > Then we have the more obvious objections such as "one set of credentials > > to rule them all? You must be mad!" But in the end, end-user security is > > nothing but compromises and tradeoffs. If you were to choose between the > > user having different but weak passwords in his head to each account, > > different and strong passwords written down in his desk drawer to each > > account, or only one strong password in his head to all accounts, what > > would you choose? > > > > What indeed? > > > > [email protected] wrote: > > > >>:) do you mean these? http://openid.net/ > >> > >>> Not at all. There are plenty of free solutions out there, people only > >>need > >>> to start using them. And also boycott service providers with > >>lacklustre > >>> security practices. > >>> > >>> Yahoo! has been setting the standard for bad practices in general for > >>many > >>> years now. Why some people still insist on using them is beyond me. > >>> > >>> dkataike <[email protected]> wrote: > >>> > >>>> > >>>> > >>>> > >>>>Sent from Samsung Mobile > >>>> > >>>>kizito Mudambo <[email protected]> wrote: > >>>> > >>>>we need to find a long term solution for these issues... look at > >>>>man-in-the-middle attack, we are at the mercy of hackers unless if > >>you > >>>>use a pgp,gpg or military grade encryption... > >>>> > >>>>On Dec 10, 2012 8:22 PM, "[email protected]" > >>>><[email protected]> wrote: > >>>>Password authentication, when implemented correctly, is safe enough > >>for > >>>>low-sec purposes. While brute force is effective *eventually*, if > >>five > >>>>consecutive authentication failures leads to account lockdown and a > >>red > >>>>flag somewhere, such an attack will not be feasible. Unfortunately, > >>in > >>>>the last few years some larger soc sites (I'm looking at you, > >>Twitter) > >>>>have been inexcusably lax in their security, with no limits on > >>>>authentication failures whatsoever. If you are in charge of a web > >>site > >>>>implementing password authentication and it does not have measures > >>>>against repetitive failures, give yourself a good hard slap across > >>the > >>>>face and rectify this. > >>>> > >>>>That said, I've been a proponent of pre-shared key authentication for > >>>>several years. All major browsers support this reasonably uniformly, > >>>>and the reason we're not using it boils down to laziness and some > >>>>drawbacks which are rapidly getting outmoded. Several years ago > >>people > >>>>used several different computers as temporary workstations as they > >>only > >>>>owned a non-portable desktop computer if they owned any computer at > >>>>all. Nowadays we do our work with laptops, tablets, and smartphones. > >>We > >>>>seldom use another person's terminal anymore, because we always carry > >>>>our own terminals in our bags and pockets. Using shared keys have > >>>>suddenly become more feasible; I hope our providers get with the > >>>>program soon. > >>>> > >>>>kizito Mudambo <[email protected]> wrote: > >>>>doesnt yahoomail support 2 step authetication... the real truth is > >>>>passwords are no longer safe enough no matter how strong they are.... > >>>>the only way for now is two step authetication as simple as that > >>>> > >>>>On Dec 10, 2012 2:51 PM, "Colline Waiswa" <[email protected]> wrote: > >>>> > >>>> > >>>>I dont know how the breach took place but i highly doubt it was > >>guessed > >>>>coz i think it had the characteristics of a good password. > >>>>1: it was quite long ( over 10+ characters) > >>>>2: had alternating capitation > >>>>3: had atleast 1 special character > >>>>4: was unrelated to my cat, team,etc > >>>> > >>>>Colline > >>>> > >>>> > >>>>------------------------------ > >>>>On Mon, Dec 10, 2012 3:08 AM PST Benjamin Tayehanpour wrote: > >>>> > >>>>>Most *targeted* breaches are, yes. If you know a specific user and > >>you > >>>>want > >>>>>that user's account, specifically, then password-guessing is common. > >>>>But > >>>>>this was quite evidently not a targeted breach, otherwise spam would > >>>>be the > >>>>>least of his/her problems. Most non-targeted breaches (as in: "I > >>have > >>>>this > >>>>>lovely piece of spam I want to distribute, so I need one thousand > >>>>hacked > >>>>>accounts") happen through lousy workstation security, with spyware > >>or > >>>>MITM > >>>>>attacks swiping the credentials. > >>>>> > >>>>>I'm curious. What was your password, Colline? Since you've changed > >>it > >>>>it > >>>>>shouldn't hurt to reveal it, right? > >>>>> > >>>>>On 10 December 2012 11:58, Victor van Reijswoud < > >>>>>[email protected]> wrote: > >>>>> > >>>>>> Most breaches are because of poor passwords (except this one, of > >>>>course :) > >>>>>> ). Interesting overview here: > >>>>>> > >>>> > http://nakedsecurity.sophos.com/2012/07/13/yahoo-voices-poor-passwords/ > >>>>>> > >>>>>> > >>>>>> On Mon, Dec 10, 2012 at 11:19 AM, Benjamin Tayehanpour < > >>>>>> [email protected]> wrote: > >>>>>> > >>>>>> Any idea how the breach happened yet? Password-guessing for > >>>>spam-related > >>>>>> purposes is quite rare nowadays, with sophisticated brute force > >>>>protection > >>>>>> and especially if the password is a good strong one (which I > >>assume, > >>>>since > >>>>>> you're a Linux user and thus have common sense). Did you have your > >>>>password > >>>>>> written down somewhere accessible? Did you save it with a password > >>>>manager > >>>>>> on a public computer? Did you link your account to some other > >>>>account > >>>>>> (Facebook/Twitter/&c.) which is compromised? > >>>>>> > >>>>>> On 10 December 2012 10:28, Colline Waiswa <[email protected]> > >>>>wrote: > >>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> Seeing as my sent mail folder is full of the that message sent to > >>>>all my > >>>>>>> contacts, i am pretty sure the mailbox was gotten into > >>>>>>> > >>>>>>> Colline > >>>>>>> > >>>>>>> ------------------------------ > >>>>>>> On Mon, Dec 10, 2012 12:42 AM PST Mike Barnard wrote: > >>>>>>> > >>>>>>> >On 9 December 2012 17:37, Benjamin Tayehanpour > >>>>>>> ><[email protected]>wrote: > >>>>>>> > > >>>>>>> > Without SPF protection, I could send e-mails which look like > >>they > >>>>>>> > originate from your account, and the receiver will have no > >>means > >>>>of > >>>>>>> > verifying the sender address since SPF isn't implemented. > >>That's > >>>>one > >>>>>>> of > >>>>>>> > many reasons why Yahoo! is a bad e-mail service provider. I'm > >>not > >>>>>>> saying we > >>>>>>> > should ban all users of Yahoo!; I'm saying Yahoo! as a service > >>>>>>> provider > >>>>>>> > should be boycotted due to the numerous flaws in their service. > >>>>>>> > > >>>>>>> > That said, I'm glad you managed to change the password so you > >>>>didn't > >>>>>>> lose > >>>>>>> > the account. Such things can be a real pain otherwise! Do you > >>>>know > >>>>>>> how the > >>>>>>> > breach happened? > >>>>>>> > > >>>>>>> > > >>>>>>> >The "breach" will most likely happen again... I doubt that the > >>>>person > >>>>>>> >actually got into his mailbox. Most spam from yahoo addresses > >>>>tends to > >>>>>>> be > >>>>>>> >from botnets that take advantage of the fact that one cannot > >>>>>>> legitimately > >>>>>>> >check whether its actually yahoo who sent the email. > >>>>>>> > > >>>>>>> > > >>>>>>> >-- > >>>>>>> >Mike > >>>>>>> > > >>>>>>> >Of course, you might discount this possibility, but remember > >>that > >>>>one > >>>>>>> in a > >>>>>>> >million chances happen 99% of the time. > >>>>>>> >------------------------------------------------------------ > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> The Uganda Linux User Group: http://linux.or.ug > >>>>>>> > >>>>>>> Send messages to this mailing list by addressing e-mails to: > >>>>>>> [email protected] > >>>>>>> Mailing list archives: > >>http://www.mail-archive.com/[email protected]/ > >>>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug > >>>>>>> To unsubscribe: http://kym.net/mailman/options/lug > >>>>>>> > >>>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: > >>>>>>> http://www.infocom.co.ug/ > >>>>>>> > >>>>>>> The above comments and data are owned by whoever posted them > >>>>(including > >>>>>>> attachments if any). The mailing list host is not responsible for > >>>>them in > >>>>>>> any way. > >>>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> The Uganda Linux User Group: http://linux.or.ug > >>>>>> > >>>>>> Send messages to this mailing list by addressing e-mails to: > >>>>>> [email protected] > >>>>>> Mailing list archives: > >>http://www.mail-archive.com/[email protected]/ > >>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug > >>>>>> To unsubscribe: http://kym.net/mailman/options/lug > >>>>>> > >>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: > >>>>>> http://www.infocom.co.ug/ > >>>>>> > >>>>>> The above comments and data are owned by whoever posted them > >>>>(including > >>>>>> attachments if any). The mailing list host is not responsible for > >>>>them in > >>>>>> any way. > >>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> The Uganda Linux User Group: http://linux.or.ug > >>>>>> > >>>>>> Send messages to this mailing list by addressing e-mails to: > >>>>>> [email protected] > >>>>>> Mailing list archives: > >>http://www.mail-archive.com/[email protected]/ > >>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug > >>>>>> To unsubscribe: http://kym.net/mailman/options/lug > >>>>>> > >>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: > >>>>>> http://www.infocom.co.ug/ > >>>>>> > >>>>>> The above comments and data are owned by whoever posted them > >>>>(including > >>>>>> attachments if any). The mailing list host is not responsible for > >>>>them in > >>>>>> any way. > >>>>>> > >>>>I highly doubt > >>>>_______________________________________________ > >>>>The Uganda Linux User Group: http://linux.or.ug > >>>> > >>>>Send messages to this mailing list by addressing e-mails to: > >>>>[email protected] > >>>>Mailing list archives: http://www.mail-archive.com/[email protected]/ > >>>>Mailing list settings: http://kym.net/mailman/listinfo/lug > >>>>To unsub_______________________________________________ > > The Uganda Linux User Group: http://linux.or.ug > > > > Send messages to this mailing list by addressing e-mails to: > > [email protected] > > Mailing list archives: http://www.mail-archive.com/[email protected]/ > > Mailing list settings: http://kym.net/mailman/listinfo/lug > > To unsubscribe: http://kym.net/mailman/options/lug > > > > The Uganda LUG mailing list is generously hosted by INFOCOM: > > http://www.infocom.co.ug/ > > > > The above comments and data are owned by whoever posted them (including > > attachments if any). The mailing list host is not responsible for them in > > any way. > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. >
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
